Connected Apps for Developers

Anypoint Platform provides a comprehensive set of APIs that developers can use to extend functionality. With the Connected Apps feature, developers can delegate access to applications that use APIs to interact with Anypoint Platform programmatically. While some might use the Connected Apps feature to build CI/CD pipelines, others can productize additional third-party use-cases on top of Anypoint Platform.

In addition to enabling new flows to authenticate users, developers can enable or disable clients and view client usage. For example, developers can see how many organizations are using the app and how many users have access.

The Connected Apps feature supports OAuth 2.0 and OpenID Connect. As such, developers must ensure their app can use tokens to request access to user data. To find out what specific OpenID Connect capabilities are supported, refer to the information provided in the discovery endpoint. All scopes in the endpoint map directly to permissions available in Anypoint Platform, with some exceptions noted in the Endpoint Scopes section.

To foster a consistent authentication experience for end users, third-party developers with their own websites or web apps can allow users to log in using the Sign in with Anypoint Platform option.

Developers who have the organization administrator role can create apps and specify access scopes in Anypoint Platform.

Token Flow

When a developer creates an app, the app requests access to user data. When an end user receives such a request and authorizes the app to access their data, the app receives an access token, which allows the app to call Anypoint Platform on the user’s behalf. The access token allows the app to see who the user is by using the user’s Anypoint Platform credentials. A token is valid for up to 90 minutes.

Endpoint Scopes

Most of the scopes in the discovery endpoint map directly to existing permissions in Anypoint Platform. Other available scopes are defined as follows:

  • full: Full access to anything the user can do.

  • read:full: Read-only access to anything the user can read.

  • openid: Read-only access to the user’s username and unique Anypoint ID.

  • profile: Read-only access to the user’s Anypoint profile.

  • email: Read-only access to the user’s email.

  • offline_access: Access to the user’s data when they are not logged in.

Apps that use client_credentials grant type always have the profile scope assigned to them implicitly. The data returned by queries using the scope correspond to the user who created the connected app.

OIDC Endpoints and Tokens

To work with OpenID Connect, apps that require access to user data when the user isn’t logged in have to exchange refresh tokens for new access tokens. Refresh tokens expire after 90 days. Access tokens expire after the user’s session expires. If the app is using the authorization code grant type, the offline_access scope is required to use refresh tokens after original access tokens expire. To request a new access token, you must send a request to the token endpoint using the refresh_token grant type. When authentication is successful, a refresh token is exchanged for an access token.

The following example shows the structure of a token request given a pre-existing refresh_token:

POST /api/v2/oauth2/token
Content-Type: application/x-www-form-urlencoded

Assuming the token request is fulfilled, the refresh token received in the endpoint response is similar to a regular token response, but it might not contain an id_token.

Log in with Anypoint Platform Widget

For seamless implementation, developers can integrate a button into the front end of their apps with a pre-built template and set of components. They can add this widget using the following code:

<anypoint-signin scopes="full"

For more information about how to embed the button, refer to the developer playground.

Create an App

Before you create an app as an organization administrator, consider the following requirements and restrictions:

  • Your organization can own up to 2000 connected apps, and each connected app can have up to 1000 scopes.

  • A unique clientID is automatically assigned and can’t be modified. However, you can modify client secrets in the Application Settings page.

  • Your app is owned by your organization; any organization administrator can control it.

You should also determine the use-case and whether the app is internal to your company or is a third-party application that can be distributed outside of your organization. To create your app, follow these steps:

  1. In the Access Management navigation menu, click Connected Apps.

  2. Click Create App.

  3. Create your app by completing the fields in the Create App page.

  4. Click Save.

Application Allowlist

Users with the Organization Administrator permission can enable an allowlist to control which apps can access their users' data. When your app is added to an allowlist, only the set of scopes associated with the app are reviewed and approved by the administrator. If you add new scopes to your app at a later date, you are unable to request those scopes from users until the admin re-approves your app. Existing authorizations and new authorizations using the already-allowlisted set of scopes continue to work. For more information, see connected apps for administrators.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub